Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


2 Networks - One linux box (security question)

Posted on 2003-02-25
Medium Priority
Last Modified: 2010-03-18
OK, I have a linux box setup where I work.  THe building is entirely Windows NT/2000 based, with no linux servers anywhere.  I have my linux box setup with 2 NICs in it, one connected to this corporate network (which has a T1 secured with a Sidewinder Firewall system), and the other NIC goes to a DSL router (completely open and unsecured).

I am using this DSL line to get Internet access, since the proxy server runs Microsoft proxy server, and machines need to have Microsoft Proxy Client installed to work.  Well, Linux won't connect through this proxy, that is why I have the extra DSL.

What I'm asking is how can I secure the corporate network connection from the DSL so that users can't hack through the DSL line, through my linux box (which is always on) and into the corporate network, completely bypassing the sidewinder firewall they have setup.

I need to know what to setup so that I can get Internet and run some services (such as apache and mySQL) through this DSL, but not allow any connections going through the DSL line to access the other NIC.

Please help me on this, it would be greatly appreciated.  Thanks in advance.
Question by:phraxion
  • 3
  • 2

Expert Comment

ID: 8024408
If you have iptables, use gshield, http://muse.linuxmafia.org/gshield.html
However, if you run a service to the outside, no firewall will protect you if the service itself is vulnerable since the firewall is configured to allow all traffic to the service.

Bob Gunzel

Accepted Solution

jeordsta earned 400 total points
ID: 8037919

If all you are concerned about is people going _through_ your server then the answer is simple:

echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP

Even this is overkill. The first line tells the kernel never to retransmit packets. That is, never act as a router. This will stop any packets coming in on one interface from going out on the other.

The second line tells the kernel make in a policy (-P) to drop anything that is begin forwarded. But since you're already not allowing forwarding in your kernel this is overkill.

However, the much more difficult question is if you are worried about people hacking your computer and then using that to get access to the internal network. You must do some more subtle firewalling then to ensure that your computer doesn't get hacked. A good starting point is:

iptables -P INPUT DROP

This tells the kernel to drop any connection attempts unless they have been explicitly allowed. It is then possible to exercise fine grained control on what things you allow to access your computer. For example, if you want to run a web server you can explicitely allow connections to port 80 (http) by typing:

iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT

This tells the kernel to append (-A) a rule to the input firewalling table that anything of protocol tcp (-p tcp) arriving on the DSL interface (-i ppp0 I assume that that is your DSL interface) having destination port 80 (--dport 80) should be accepted. This would allow external access to the web service. If you wanted everyone on your internal network full access to your computer you would type:

iptables -A INPUT -i eth0 -j ACCEPT

(assuming that your internal nic is eth0).

Similarly for mysql. It is just a matter of finding out what port it uses and allowing it similarly to the http server above.

Author Comment

ID: 8038323
now... if after doing all of this, how can I test to see if I've secured off the internal network from any connections on the DSL line (which is coming in through eth1, my internet is eth0)?
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.


Author Comment

ID: 8038339
eth0 = internal network
eth1 = DSL line (hooked to a router)

Expert Comment

ID: 8038625

Yes, it is quite easy to test. Gather the following equipment/information:
1) the IP address of the DSL modem
3) the IP of eth1 on your machine
2) an IP of a reliable server on the inside of the network which you can ping from your machine (through eth0)
3) a laptop with a NIC (running any operating system)

Now give the laptop identical configurations to the DSL modem and plug it into your eth1. Add a route to the internal IP like this:
route add reliableIP gw eth1addr
route add reliableIP mask eth1addr

And then ping the reliable ip from the laptop. You should be able to ping the reliable ip if kernel forwarding is on and ipforwarding is on. That is, if you do:
echo 1 > /proc/sys/net/ipv4/ip_forward
you should be able to ping the reliable host. Then doing the opposite:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
should disable pinging (as mentioned in my previous post only one of these lines is strictly necessary).

Good luck, Geordie.

Author Comment

ID: 8112294
works perfectly... thanks

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question